Hacker Tracker | April in Review

Where are we in the world of cybersecurity? It’s easy to miss the cybersecurity threats and attacks happening right in our “backyard”. Our goal at PK Tech is to educate and offer proactive steps for cybersecurity safety. It’s important to be aware–without being afraid–of the cybersecurity threats that are real threats for your business. PK Tech aims to be a leading educator and support tool in the world of cybersecurity.

Check out our monthly “Hacker Tracker” for the latest in cybersecurity hacks, breaches and updates…

US Treasury links North Korean hacker group Lazarus to $600M Axie Infinity heist | 4.14.22

• The US Treasury Department on Thursday linked a notorious North Korean hacking group to a massive $600 million cyber breach last month. 
• The connection was clear when the Treasury Department updated its sanctions listing for the hacking group, called Lazarus Group. The federal agency added a cryptocurrency address that was used to steal $600 million from the Ronin network, a blockchain network created by the Vietnamese game company Sky Mavis. 
• The Ronin network powers the play-to-earn game Axie Finity.
• View the Source 

Beanstalk DeFi project robbed of $182 million in flash loan attack | 4.21.22

• Decentralized finance (DeFi) project Beanstalk has lost $182 million in a flash loan attack. Beanstalk is a credit-based stablecoin protocol project based on Ethereum.
• This security incident was possible after the unknown threat actor secured the project voting rights necessary to transfer reserve funds away from the project’s liquidity pools.
• Flash loan functions in DeFi projects allow users to borrow large amounts of virtual funds for a short period of time. In Beanstalk Farm’s case, voting powers were based on the amount of tokens held.
• View the Source

Hive hackers are exploiting Microsoft Exchange Servers in ransomware spree | 4.21.22

• The Hive threat group is targeting vulnerable Microsoft Exchange Servers to deploy ransomware. First spotted in June 2021, Hive is a Ransomware-as-a-Service (RaaS) model in which cyberattackers can utilize the Hive ransomware strain in attacks.
• The threat actors operate a leak site, accessible via a .onion address, which aims to ‘name and shame’ ransomware victims. Additionally, the malware operators practice double-extortion, in which sensitive corporate data is stolen from a victim organization before disk encryption.
• If a victim refuses to pay for a decryption key, the cyberattackers will plaster their name across the leak site and set a timer before the data is leaked. 
• View the Source

Lessons Learned

#1- From the US Treasury attack, we learn a scary truth: hackers are more emboldened than ever. Do not sleep on cybersecurity for your organization. To put his attack in perspective, hackers from North Korea stole nearly $400 million worth of cryptocurrency total in 2021 (source). Thus, $600 million in one attack is a lot and sets the tone for the direction we’re headed with ransomware. 

#2- What may seem like more of a corporate heist than a typical cyberattack, the Beanstalk flash loan attack is nonetheless a major breach to be analyzed. $182 million is no small sum. What do we learn? Hackers are not just getting ‘smarter’, they’re on the verge of brilliance in many cases, and we need to be on alert. In the case of this attack, the attacker creatively secured a flash loan that allotted them extensive voting rights–allowing them to accept or decline changes in the protocol’s code. The emergency governance mechanism was abused to ‘vote’ for a malicious proposal. 

#3- With cyber actors now operating in ‘groups’, you are right to be scared (but don’t worry too hard, proper prevention and planning with IT experts can protect your organization in many cases!). In the case of the HIVE group, they are basically using a double extortion scheme to con victims into paying. As with any ransomware group, they have multiple individuals operating from different angles of the attack, making it almost impossible for a victim to free themselves after the attack is initiated. The answer to these attacks? Regular updates and regular threat scanning.

Get in touch with PK Tech here.